Configure an access review to meet the security requirements for the workload administrators

Written by John Gruber Published on Last Updated on

Security Requirements: GitBit identifies the following security requirements:

• Access to the Azure Active Directory admin center by the user administrators must be reviewed every seven days. If an administrator does not respond to an access request within three days, access must be removed
• Users who manage Microsoft 365 workloads must only be allowed to perform administrative tasks for up to three hours at a time. Global administrators must be exempt from this requirement
• Users must be prevented from inviting external users to view company data. Only global administrators and a user named User1 must be able to send invitations
• Azure Advanced Threat Protection (ATP) must capture security group modifications for sensitive groups, such as Domain Admins in Active Directory
• Workload administrators must use multi-factor authentication (MFA) when signing in from an anonymous or an unfamiliar location
• The location of the user administrators must be audited when the administrators authenticate to Azure AD
• Email messages that include attachments that have malware must be delivered without the attachment
• The principle of least privilege must be used whenever possible

You plan to configure an access review to meet the security requirements for the workload administrators. You create an access review policy and specify the scope and a group.

Which other settings should you configure? To answer, select the correct options in the answer area.